This project implements a secure CI/CD pipeline for a Hotstar-like streaming application deployed on AWS EKS using DevSecOps best practices. It integrates security checks directly into the pipeline to catch vulnerabilities early and enforce secure deployments.
.png)
- SonarQube → Static code analysis
- OWASP ZAP → Dynamic application security testing
- Docker Scout → Container image vulnerability scanning
- Terraform → Infrastructure as Code (AWS EKS provisioning)
- Jenkins → Orchestrates CI/CD pipeline
Make sure these are installed and available in on the Jenkins agent:
- Git
- Node.js and npm
- Docker Engine
- AWS CLI
- kubectl
Install and configure:
- Pipeline
- Git
- HTML Publisher
-
SonarQube Server
- sonarqube run using the docker container
docker run -d --name sonarqube -p 9000:9000 sonarqube:latest- Accessible from Jenkins (e.g.
http://3.111.96.69:8080). - A project key configured:
hotstar-app. - A Sonar token with analysis permissions.
-
Docker Hub
- Account : maheshbharambe45 After image will push on these account.
-
AWS EKS Cluster
- Cluster name:
hotstar-eks. - Region:
ap-south-1. - Worker nodes able to pull Docker Hub images.
- Security groups and IAM roles properly configured.
- Cluster name:
Create these credentials in Manage Jenkins → Credentials:
-
SONAR_TOKEN- Type: Secret text .
- Value: SONAR_TOKEN.
-
MY_DOCKER_PASS- Type: Secret text or Username/Password.
- Username:
maheshbharambe45 - Password: Docker Hub token.
-
AWS credentials
AWS_ACCESS_KEY_ID,AWS_SECRET_ACCESS_KEYas environment or Jenkins credentials.
Checks out the repo from GitHub:
https://github.com/Maheshbharambe45/Hotstar-Project-DevSecOps-Pipeline.gitVerifies the expected project structure
Installs Node.js dependencies
npm installdocker run --rm \
-e SONAR_HOST_URL=http://3.111.96.69:9000 \
-e SONAR_LOGIN=$SONAR_TOKEN \
-v /var/lib/jenkins/workspace/Hostar_Clone:/usr/src \
sonarsource/sonar-scanner-cli \
-Dsonar.projectKey=hotstar-app \
-Dsonar.projectName=hotstar-app \
-Dsonar.sources=src \
-Dsonar.exclusions=**/node_modules/**,**/build/**Results accessible at:
http://3.111.96.69:9000/dashboard?id=hotstar-app
docker build -t maheshbharambe45/hotstar-app .Installs Docker Scout CLI in workspace:
curl -sSfL https://raw.githubusercontent.com/docker/scout-cli/main/install.sh | \
sh -s -- -b .docker-pluginsScans image for CVEs
.docker-plugins/docker-scout cves maheshbharambe45/hotstar-app:latest
Log in to Docker Hub using MY_DOCKER_PASS
echo $MY_DOCKER_PASS | docker login -u maheshbharambe45 --password-stdinPushes image
docker push maheshbharambe45/hotstar-app:latest
Configures kubeconfig for hotstar-eks:
aws eks update-kubeconfig \
--name hotstar-eks \
--region ap-south-1 \
--alias hotstar-eksApplies Kubernetes manifests
kubectl apply -f deployment.yml
kubectl apply -f service.yml
Retrieves ELB hostname
kubectl get svc hotstar-service \
-o jsonpath='{.status.loadBalancer.ingress[0].hostname}'Prints final URL
Deployed App URL: ab12b4...-1248999305.ap-south-1.elb.amazonaws.comCreates report output folder
mkdir -p zap-output
chmod 777 zap-outputRuns ZAP baseline in Docker against ELB URL
docker run --rm \
-v $PWD/zap-output:/zap/wrk:rw \
ghcr.io/zaproxy/zaproxy:stable \
zap-baseline.py \
-t http://<elb-hostname> \
-r zap_report.html \
-I -m 5Uses HTML Publisher plugin to publish zap-output/zap_report.html: Appears in Jenkins build as: “OWASP ZAP Report”
Find the line in Jenkins log
Deployed App URL: <elb-hostname>.ap-south-1.elb.amazonaws.comOpen in browser:
http://<elb-hostname>.ap-south-1.elb.amazonaws.com
- Fix Docker Scout–reported vulnerabilities by updating vulnerable NPM packages to their patched versions.
- Add security headers (e.g.
Content-Security-Policy,X-Frame-Options,X-Content-Type-Options) to reduce OWASP ZAP warnings. - Update the Jenkins pipeline to fail the build when:
- Any Critical/High CVEs are detected by Docker Scout.
- OWASP ZAP reports alerts above a defined severity threshold (e.g. High/Medium).